Mayastor, Velero, Rancher improved
This commit is contained in:
parent
ce228aad70
commit
3a2c575e12
|
@ -1,6 +1,10 @@
|
||||||
---
|
---
|
||||||
- name: Include playbook talos
|
- name: Include playbook talos
|
||||||
ansible.builtin.import_playbook: talos.yml
|
ansible.builtin.import_playbook: talos.yml
|
||||||
|
tags:
|
||||||
|
- talos
|
||||||
|
|
||||||
- name: Include playbook services
|
- name: Include playbook services
|
||||||
ansible.builtin.import_playbook: services.yml
|
ansible.builtin.import_playbook: services.yml
|
||||||
|
tags:
|
||||||
|
- services
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
kubernetes_version: v1.26.7
|
kubernetes_version: v1.26.7
|
||||||
talos_version: v1.5.1
|
talos_version: v1.5.2
|
||||||
ansible_root_dir: "{{ inventory_dir | ansible.builtin.dirname }}"
|
ansible_root_dir: "{{ inventory_dir | ansible.builtin.dirname }}"
|
||||||
ansible_vault_password_file: "{{ ansible_root_dir }}/.ansible/vault_pass"
|
ansible_vault_password_file: "{{ ansible_root_dir }}/.ansible/vault_pass"
|
||||||
talos_generic_config_dir: "{{ ansible_root_dir }}/configs/talos"
|
talos_generic_config_dir: "{{ ansible_root_dir }}/configs/talos"
|
||||||
|
|
|
@ -0,0 +1,169 @@
|
||||||
|
---
|
||||||
|
# https://github.com/rancher/local-path-provisioner
|
||||||
|
|
||||||
|
- name: Local-Path storage Namespace
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: local-path-storage
|
||||||
|
labels:
|
||||||
|
pod-security.kubernetes.io/audit: privileged
|
||||||
|
pod-security.kubernetes.io/enforce: privileged
|
||||||
|
pod-security.kubernetes.io/warn: privileged
|
||||||
|
|
||||||
|
- name: Local-Path storage ServiceAccount
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: local-path-provisioner-service-account
|
||||||
|
namespace: local-path-storage
|
||||||
|
|
||||||
|
- name: Local-Path storage ClusterRole
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: local-path-provisioner-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: [ "" ]
|
||||||
|
resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
|
||||||
|
verbs: [ "get", "list", "watch" ]
|
||||||
|
- apiGroups: [ "" ]
|
||||||
|
resources: [ "endpoints", "persistentvolumes", "pods" ]
|
||||||
|
verbs: [ "*" ]
|
||||||
|
- apiGroups: [ "" ]
|
||||||
|
resources: [ "events" ]
|
||||||
|
verbs: [ "create", "patch" ]
|
||||||
|
- apiGroups: [ "storage.k8s.io" ]
|
||||||
|
resources: [ "storageclasses" ]
|
||||||
|
verbs: [ "get", "list", "watch" ]
|
||||||
|
|
||||||
|
- name: Local-Path storage ClusterRoleBinding
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: local-path-provisioner-bind
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: local-path-provisioner-role
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: local-path-provisioner-service-account
|
||||||
|
namespace: local-path-storage
|
||||||
|
|
||||||
|
- name: Local-Path storage ConfigMap
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
kind: ConfigMap
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: local-path-config
|
||||||
|
namespace: local-path-storage
|
||||||
|
data:
|
||||||
|
config.json: |-
|
||||||
|
{
|
||||||
|
"nodePathMap": [
|
||||||
|
{
|
||||||
|
"node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
|
||||||
|
"paths": [ "/var/local" ]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
setup: |-
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
mkdir -m 0777 -p "$VOL_DIR"
|
||||||
|
teardown: |-
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
rm -rf "$VOL_DIR"
|
||||||
|
helperPod.yaml: |-
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: helper-pod
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: helper-pod
|
||||||
|
image: busybox
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
- name: Local-Path storage Deployment
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: local-path-provisioner
|
||||||
|
namespace: local-path-storage
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: local-path-provisioner
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: local-path-provisioner
|
||||||
|
spec:
|
||||||
|
serviceAccountName: local-path-provisioner-service-account
|
||||||
|
containers:
|
||||||
|
- name: local-path-provisioner
|
||||||
|
image: rancher/local-path-provisioner:v0.0.24
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
command:
|
||||||
|
- local-path-provisioner
|
||||||
|
- --debug
|
||||||
|
- start
|
||||||
|
- --config
|
||||||
|
- /etc/config/config.json
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/config/
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
volumes:
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: local-path-config
|
||||||
|
|
||||||
|
- name: Local-Path storage StorageClass
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: local-path
|
||||||
|
annotations:
|
||||||
|
storageclass.beta.kubernetes.io/is-default-class: 'true'
|
||||||
|
storageclass.kubernetes.io/is-default-class: 'true'
|
||||||
|
provisioner: rancher.io/local-path
|
||||||
|
parameters:
|
||||||
|
nodePath: /var/local
|
||||||
|
volumeBindingMode: WaitForFirstConsumer
|
||||||
|
reclaimPolicy: Delete
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: common
|
|
@ -0,0 +1,55 @@
|
||||||
|
---
|
||||||
|
- name: Namespace for Mayastor
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: mayastor
|
||||||
|
labels:
|
||||||
|
pod-security.kubernetes.io/audit: privileged
|
||||||
|
pod-security.kubernetes.io/enforce: privileged
|
||||||
|
pod-security.kubernetes.io/warn: privileged
|
||||||
|
|
||||||
|
- name: Helm add Mayastor repo
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
run_once: true
|
||||||
|
kubernetes.core.helm_repository:
|
||||||
|
name: mayastor
|
||||||
|
repo_url: "https://openebs.github.io/mayastor-extensions/"
|
||||||
|
|
||||||
|
- name: Helm deploy Mayastor
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.helm:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
chart_ref: mayastor/mayastor
|
||||||
|
release_name: mayastor
|
||||||
|
release_namespace: mayastor
|
||||||
|
create_namespace: false
|
||||||
|
wait: true
|
||||||
|
# https://github.com/openebs/mayastor-extensions/blob/develop/chart/values.yaml
|
||||||
|
values:
|
||||||
|
io_engine:
|
||||||
|
cpuCount: 1
|
||||||
|
etcd:
|
||||||
|
replicaCount: 3
|
||||||
|
tolerations:
|
||||||
|
- effect: NoSchedule
|
||||||
|
operator: Exists
|
||||||
|
|
||||||
|
- name: StorageClass mayastor-2replicas
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: mayastor-2replicas
|
||||||
|
namespace: mayastor
|
||||||
|
parameters:
|
||||||
|
ioTimeout: "30"
|
||||||
|
protocol: nvmf
|
||||||
|
repl: "2"
|
||||||
|
provisioner: io.openebs.csi-mayastor
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: common
|
|
@ -0,0 +1,84 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
#
|
||||||
|
# Not tested and finished yet.
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Helm add Hashicorp repo
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
run_once: true
|
||||||
|
kubernetes.core.helm_repository:
|
||||||
|
name: hashicorp
|
||||||
|
repo_url: "https://helm.releases.hashicorp.com"
|
||||||
|
|
||||||
|
- name: Helm deploy Hashicorp Vault Secrets Operator
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.helm:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
chart_ref: hashicorp/vault-secrets-operator
|
||||||
|
release_name: vault-secrets-operator
|
||||||
|
release_namespace: vault-secrets-operator-system
|
||||||
|
create_namespace: true
|
||||||
|
wait: true
|
||||||
|
# https://github.com/hashicorp/vault-secrets-operator/blob/main/chart/values.yaml
|
||||||
|
values:
|
||||||
|
defaultVaultConnection:
|
||||||
|
enabled: true
|
||||||
|
address: "https://zabbix.snel.com:8200"
|
||||||
|
skipTLSVerify: false
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: manager
|
||||||
|
args:
|
||||||
|
- "--client-cache-persistence-model=direct-encrypted"
|
||||||
|
|
||||||
|
- name: VaultAuth
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: static-auth
|
||||||
|
namespace: app
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: demo-auth-mount
|
||||||
|
kubernetes:
|
||||||
|
role: role1
|
||||||
|
serviceAccount: default
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
|
||||||
|
- name: VaultStaticSecret
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: vault-kv-app
|
||||||
|
namespace: app
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
|
||||||
|
# mount path
|
||||||
|
mount: kvv2
|
||||||
|
|
||||||
|
# path of the secret
|
||||||
|
path: webapp/config
|
||||||
|
|
||||||
|
# dest k8s secret
|
||||||
|
destination:
|
||||||
|
name: secretkv
|
||||||
|
create: true
|
||||||
|
|
||||||
|
# static secret refresh interval
|
||||||
|
refreshAfter: 30s
|
||||||
|
|
||||||
|
# Name of the CRD to authenticate to Vault
|
||||||
|
vaultAuthRef: static-auth
|
|
@ -60,19 +60,6 @@
|
||||||
- name: When Bitwarden item not found
|
- name: When Bitwarden item not found
|
||||||
when: "not _rancher_password_item | length"
|
when: "not _rancher_password_item | length"
|
||||||
block:
|
block:
|
||||||
- name: Get Rancher bootstrap secret
|
|
||||||
delegate_to: "{{ kubectl_host }}"
|
|
||||||
kubernetes.core.k8s_info:
|
|
||||||
kubeconfig: "{{ kubeconfig }}"
|
|
||||||
kind: Secret
|
|
||||||
name: bootstrap-secret
|
|
||||||
namespace: cattle-system
|
|
||||||
register: _rancher_bootstrap_secret
|
|
||||||
|
|
||||||
- name: Set rancher password fact
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
_rancher_bootstrap_password: "{{ _rancher_bootstrap_secret.resources[0].data.bootstrapPassword | ansible.builtin.b64decode }}"
|
|
||||||
|
|
||||||
- name: Create random password
|
- name: Create random password
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
_rancher_password: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
|
_rancher_password: "{{ lookup('ansible.builtin.password', '/dev/null') }}"
|
||||||
|
@ -106,7 +93,35 @@
|
||||||
cmd: "bw create item {{ _bitwarden_password_item | ansible.builtin.to_json | ansible.builtin.b64encode }}"
|
cmd: "bw create item {{ _bitwarden_password_item | ansible.builtin.to_json | ansible.builtin.b64encode }}"
|
||||||
changed_when: true
|
changed_when: true
|
||||||
|
|
||||||
- name: Rancher login
|
- name: Rancher login
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
ansible.builtin.uri:
|
||||||
|
url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
|
||||||
|
method: POST
|
||||||
|
body_format: json
|
||||||
|
body:
|
||||||
|
username: admin
|
||||||
|
password: "{{ _rancher_password }}"
|
||||||
|
status_code: [201,401]
|
||||||
|
register: _rancher_login
|
||||||
|
|
||||||
|
- name: Rancher change password
|
||||||
|
when: "_rancher_login.status == 401"
|
||||||
|
block:
|
||||||
|
- name: Get Rancher bootstrap secret
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s_info:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
kind: Secret
|
||||||
|
name: bootstrap-secret
|
||||||
|
namespace: cattle-system
|
||||||
|
register: _rancher_bootstrap_secret
|
||||||
|
|
||||||
|
- name: Set rancher password fact
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
_rancher_bootstrap_password: "{{ _rancher_bootstrap_secret.resources[0].data.bootstrapPassword | ansible.builtin.b64decode }}"
|
||||||
|
|
||||||
|
- name: Rancher login using bootstrap password
|
||||||
delegate_to: "{{ kubectl_host }}"
|
delegate_to: "{{ kubectl_host }}"
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
|
url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
|
||||||
|
@ -131,27 +146,6 @@
|
||||||
newPassword: "{{ _rancher_password }}"
|
newPassword: "{{ _rancher_password }}"
|
||||||
status_code: [200]
|
status_code: [200]
|
||||||
|
|
||||||
- name: Rancher logout
|
|
||||||
delegate_to: "{{ kubectl_host }}"
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "https://{{ rancher_hostname }}/v3/tokens?action=logout"
|
|
||||||
method: POST
|
|
||||||
headers:
|
|
||||||
Cookie: "R_SESS={{ _rancher_pwchange_login.json.token }}"
|
|
||||||
status_code: [200]
|
|
||||||
|
|
||||||
- name: Rancher login
|
|
||||||
delegate_to: "{{ kubectl_host }}"
|
|
||||||
ansible.builtin.uri:
|
|
||||||
url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
|
|
||||||
method: POST
|
|
||||||
body_format: json
|
|
||||||
body:
|
|
||||||
username: admin
|
|
||||||
password: "{{ _rancher_password }}"
|
|
||||||
status_code: [201]
|
|
||||||
register: _rancher_login
|
|
||||||
|
|
||||||
- name: Rancher logout
|
- name: Rancher logout
|
||||||
delegate_to: "{{ kubectl_host }}"
|
delegate_to: "{{ kubectl_host }}"
|
||||||
ansible.builtin.uri:
|
ansible.builtin.uri:
|
||||||
|
|
|
@ -16,4 +16,4 @@
|
||||||
--kubernetes-version '{{ kubernetes_version }}'
|
--kubernetes-version '{{ kubernetes_version }}'
|
||||||
--additional-sans '{{ talos_control_lb_hostname }}'
|
--additional-sans '{{ talos_control_lb_hostname }}'
|
||||||
--force
|
--force
|
||||||
creates: "{{ talos_node_config_file }}"
|
# creates: "{{ talos_node_config_file }}"
|
||||||
|
|
|
@ -16,4 +16,4 @@
|
||||||
--kubernetes-version '{{ kubernetes_version }}'
|
--kubernetes-version '{{ kubernetes_version }}'
|
||||||
--additional-sans '{{ talos_control_lb_hostname }}'
|
--additional-sans '{{ talos_control_lb_hostname }}'
|
||||||
--force
|
--force
|
||||||
creates: "{{ talos_node_config_file }}"
|
# creates: "{{ talos_node_config_file }}"
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: common
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Import talos_machine_status tasks
|
||||||
|
ansible.builtin.import_tasks: "{{ role_path }}/../../shared/tasks/talos_machine_status.yml"
|
||||||
|
|
||||||
|
- name: Reboot Talos
|
||||||
|
delegate_to: "{{ talosctl_host }}"
|
||||||
|
become: no
|
||||||
|
throttle: 1
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: >-
|
||||||
|
talosctl reboot
|
||||||
|
--wait=true
|
||||||
|
--endpoints '{{ ansible_remote }}'
|
||||||
|
--nodes '{{ ansible_remote }}'
|
||||||
|
{% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
|
||||||
|
changed_when: true
|
||||||
|
environment:
|
||||||
|
TALOSCONFIG: "{{ talosconfig }}"
|
||||||
|
|
||||||
|
- name: Wait for Talos port 50000
|
||||||
|
delegate_to: "{{ talosctl_host }}"
|
||||||
|
become: no
|
||||||
|
throttle: 1
|
||||||
|
ansible.builtin.wait_for:
|
||||||
|
host: "{{ ansible_remote }}"
|
||||||
|
port: 50000
|
|
@ -3,14 +3,21 @@
|
||||||
- name: Upgrade Talos
|
- name: Upgrade Talos
|
||||||
delegate_to: "{{ talosctl_host }}"
|
delegate_to: "{{ talosctl_host }}"
|
||||||
become: no
|
become: no
|
||||||
|
throttle: 1
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: >-
|
cmd: >-
|
||||||
talosctl upgrade
|
talosctl upgrade
|
||||||
--image="ghcr.io/siderolabs/installer:{{ talos_version }}"
|
--image="ghcr.io/siderolabs/installer:{{ talos_version }}"
|
||||||
--endpoints '{{ ansible_remote }}'
|
--endpoints '{{ talos_control_lb_hostname }}'
|
||||||
--nodes '{{ ansible_remote }}'
|
--nodes '{{ ansible_remote }}'
|
||||||
|
--wait=true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
environment:
|
environment:
|
||||||
TALOSCONFIG: "{{ talosconfig }}"
|
TALOSCONFIG: "{{ talosconfig }}"
|
||||||
|
|
||||||
|
- name: Wait for Talos port 50000
|
||||||
|
delegate_to: "{{ talosctl_host }}"
|
||||||
|
become: no
|
||||||
|
ansible.builtin.wait_for:
|
||||||
|
host: "{{ ansible_remote }}"
|
||||||
|
port: 50000
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
kubernetes.core.helm:
|
kubernetes.core.helm:
|
||||||
kubeconfig: "{{ kubeconfig }}"
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
chart_ref: traefik/traefik
|
chart_ref: traefik/traefik
|
||||||
release_name: metallb
|
release_name: traefik
|
||||||
release_namespace: traefik
|
release_namespace: traefik
|
||||||
create_namespace: true
|
create_namespace: true
|
||||||
wait: true
|
wait: true
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: common
|
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Helm add VMware Tanzu repo for Velero
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
run_once: true
|
||||||
|
kubernetes.core.helm_repository:
|
||||||
|
name: vmware-tanzu
|
||||||
|
repo_url: "https://vmware-tanzu.github.io/helm-charts"
|
||||||
|
|
||||||
|
- name: Namespace for Velero
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.k8s:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
resource_definition:
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: velero
|
||||||
|
labels:
|
||||||
|
pod-security.kubernetes.io/audit: privileged
|
||||||
|
pod-security.kubernetes.io/enforce: privileged
|
||||||
|
pod-security.kubernetes.io/warn: privileged
|
||||||
|
|
||||||
|
#- name: Secret for Velero
|
||||||
|
# delegate_to: "{{ kubectl_host }}"
|
||||||
|
# kubernetes.core.k8s:
|
||||||
|
# kubeconfig: "{{ kubeconfig }}"
|
||||||
|
# resource_definition:
|
||||||
|
# apiVersion: v1
|
||||||
|
# kind: Secret
|
||||||
|
# metadata:
|
||||||
|
# name: wasabi
|
||||||
|
# namespace: velero
|
||||||
|
# labels:
|
||||||
|
# app.kubernetes.io/name: {{ include "velero.name" . }}
|
||||||
|
# app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
# app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
# helm.sh/chart: {{ include "velero.chart" . }}
|
||||||
|
# type: Opaque
|
||||||
|
# data:
|
||||||
|
|
||||||
|
- name: Helm deploy Velero
|
||||||
|
delegate_to: "{{ kubectl_host }}"
|
||||||
|
kubernetes.core.helm:
|
||||||
|
kubeconfig: "{{ kubeconfig }}"
|
||||||
|
chart_ref: vmware-tanzu/velero
|
||||||
|
release_name: velero
|
||||||
|
release_namespace: velero
|
||||||
|
create_namespace: false
|
||||||
|
wait: true
|
||||||
|
# https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/values.yaml
|
||||||
|
values:
|
||||||
|
initContainers:
|
||||||
|
- name: velero-plugin-for-aws
|
||||||
|
image: velero/velero-plugin-for-aws:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /target
|
||||||
|
name: plugins
|
||||||
|
- name: openebs-velero-plugin
|
||||||
|
image: openebs/velero-plugin:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /target
|
||||||
|
name: plugins
|
||||||
|
configuration:
|
||||||
|
# https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/backupstoragelocation.md
|
||||||
|
# https://velero.io/docs/v1.12/api-types/backupstoragelocation/#parameter-reference
|
||||||
|
backupStorageLocation:
|
||||||
|
- name: wasabi
|
||||||
|
provider: velero.io/aws
|
||||||
|
bucket: snelcom-velero
|
||||||
|
default: true
|
||||||
|
credential:
|
||||||
|
name: wasabi-secret
|
||||||
|
key: cloud
|
||||||
|
config:
|
||||||
|
region: eu-central-2
|
||||||
|
s3ForcePathStyle: true
|
||||||
|
s3Url: https://s3.eu-central-2.wasabisys.com
|
||||||
|
# https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/volumesnapshotlocation.md
|
||||||
|
# https://velero.io/docs/v1.12/api-types/volumesnapshotlocation/#parameter-reference
|
||||||
|
volumeSnapshotLocation:
|
||||||
|
- name: wasabi
|
||||||
|
provider: openebs.io/cstor-blockstore
|
||||||
|
bucket: snelcom-velero
|
||||||
|
default: true
|
||||||
|
credential:
|
||||||
|
name: wasabi-secret
|
||||||
|
key: cloud
|
||||||
|
config:
|
||||||
|
namespace: mayastor
|
||||||
|
local: "true"
|
||||||
|
credentials:
|
||||||
|
name: wasabi-secret
|
||||||
|
secretContents:
|
||||||
|
cloud: |
|
||||||
|
[default]
|
||||||
|
aws_access_key_id=PZJC2PIGBBUGV6SADUTH
|
||||||
|
aws_secret_access_key=Ir3eLXvZflinjIe01MDag6s0ReE1Af3zCG5bS4ID
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
17
services.yml
17
services.yml
|
@ -8,6 +8,23 @@
|
||||||
- talos_first_nodes
|
- talos_first_nodes
|
||||||
roles:
|
roles:
|
||||||
- role: metallb
|
- role: metallb
|
||||||
|
tags:
|
||||||
|
- metallb
|
||||||
- role: traefik
|
- role: traefik
|
||||||
|
tags:
|
||||||
|
- traefik
|
||||||
- role: cert_manager
|
- role: cert_manager
|
||||||
|
tags:
|
||||||
|
- cert_manager
|
||||||
- role: rancher
|
- role: rancher
|
||||||
|
tags:
|
||||||
|
- rancher
|
||||||
|
- role: local_path_storage
|
||||||
|
tags:
|
||||||
|
- local_path_storage
|
||||||
|
- role: mayastor
|
||||||
|
tags:
|
||||||
|
- mayastor
|
||||||
|
- role: velero
|
||||||
|
tags:
|
||||||
|
- velero
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Reset Talos
|
||||||
|
gather_facts: false
|
||||||
|
hosts:
|
||||||
|
- talos
|
||||||
|
roles:
|
||||||
|
- role: talos_reboot
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Reset Talos
|
- name: Upgrade Talos
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
hosts:
|
hosts:
|
||||||
- talos
|
- talos
|
||||||
|
|
Loading…
Reference in New Issue